{"id":"GHSA-g4cf-xj29-wqqr","summary":"Parse Server: Denial of Service via unindexed database query for unconfigured auth providers","details":"### Impact\n\nAn unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources.\n\n### Patches\n\nThe fix validates that an authentication provider is configured before executing any database query. Requests with unconfigured providers are now rejected immediately without querying the database.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.","aliases":["BIT-parse-2026-33538","CVE-2026-33538"],"modified":"2026-03-27T22:03:47.941344Z","published":"2026-03-24T19:11:40Z","database_specific":{"nvd_published_at":"2026-03-24T19:16:54Z","severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-400"],"github_reviewed_at":"2026-03-24T19:11:40Z"},"references":[{"type":"WEB","url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33538"},{"type":"WEB","url":"https://github.com/parse-community/parse-server/pull/10270"},{"type":"WEB","url":"https://github.com/parse-community/parse-server/pull/10271"},{"type":"WEB","url":"https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357"},{"type":"WEB","url":"https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54"},{"type":"PACKAGE","url":"https://github.com/parse-community/parse-server"}],"affected":[{"package":{"name":"parse-server","ecosystem":"npm","purl":"pkg:npm/parse-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"9.0.0"},{"fixed":"9.6.0-alpha.52"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-g4cf-xj29-wqqr/GHSA-g4cf-xj29-wqqr.json"}},{"package":{"name":"parse-server","ecosystem":"npm","purl":"pkg:npm/parse-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"8.6.58"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-g4cf-xj29-wqqr/GHSA-g4cf-xj29-wqqr.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}